SENATE BILL 98

55th legislature - STATE OF NEW MEXICO - second session, 2022

INTRODUCED BY

Michael Padilla and Andrea Romero

AN ACT

RELATING TO CYBERSECURITY; ENACTING THE CYBERSECURITY ACT; ESTABLISHING THE CYBERSECURITY OFFICE; CREATING THE CYBERSECURITY ADVISORY COMMITTEE; ESTABLISHING THE INTRAGOVERNMENTAL CYBERSECURITY COORDINATING COMMITTEE; CREATING THE STATE CHIEF OF INFORMATION SECURITY AND CHIEF INFORMATION SECURITY OFFICERS FOR THE ADMINISTRATIVE OFFICE OF THE COURTS AND THE LEGISLATIVE COUNCIL SERVICE; PROVIDING POWERS AND DUTIES; REQUIRING RULEMAKING AND REPORTS; MAKING APPROPRIATIONS; DECLARING AN EMERGENCY.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     SECTION 1. [NEW MATERIAL] SHORT TITLE.--Sections 1 through 7 of this act may be cited as the "Cybersecurity Act".

     SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the Cybersecurity Act:

          A. "chief information security officer" means the person responsible for developing and implementing a cybersecurity program, including standards designed to protect agency communications, systems and assets from both internal and external threats;

          B. "cybersecurity" means the protection of digital information networks, devices and data from unauthorized access or criminal use to ensure the confidentiality, integrity and availability of the digital information;

          C. "elective state officer" means a state official who is elected to an executive office established in the constitution of New Mexico as a separate entity from the agencies that are under the purview of the governor and includes the agency that the official administers;

          D. "local government" means the government of a municipality, county or political subdivision of the state;

          E. "public educational institution" means a public school, a school district, a public post-secondary educational institution or a state agency that provides administrative, funding or technical support to public schools, school districts and public post-secondary educational institutions;

          F. "standards" means standards, procedures and requirements adopted by a chief information security officer to ensure the cybersecurity of information technology and databases owned or maintained by a governmental agency or to respond to a cybersecurity threat or actual breach of cybersecurity experienced by a governmental agency; and

          G. "statewide cybersecurity plan" means a five-year plan, including recommended statutory changes and implementation requirements for the development and implementation of standards, for:

                (1) responding to cyberattacks and database intrusions and recommended cybersecurity training programs and certifications for state employees;

                (2) requiring collaboration among state agencies, local government agencies, public educational institutions and tribal agencies on cybersecurity and responses;

                (3) formally including local government agencies, or public educational institutions, in the statewide cybersecurity plan; and

                (4) entering into state-tribal or interstate agreements regarding cybersecurity.

     SECTION 3. [NEW MATERIAL] CYBERSECURITY OFFICE CREATED--STATE CHIEF OF INFORMATION SECURITY--STANDARDS.--

          A. The "cybersecurity office" is created within the department of information technology.

          B. The cybersecurity office shall be managed by the "state chief of information security", who shall be appointed by the secretary of information technology. The state chief of information security may hire staff as needed to meet the responsibilities of the cybersecurity office.

          C. The cybersecurity office shall:

                (1) establish preliminary standards on or before September 1, 2022 for all executive state agencies, and on or before September 1, 2023, update and adopt the standards by rule;

                (2) develop a statewide cybersecurity plan pursuant to Section 4 of the Cybersecurity Act; and

                (3) coordinate with the chief information security officers for the legislative council service, the administrative office of the courts and the elective state officers regarding standards for response actions to cybersecurity breaches.

     SECTION 4. [NEW MATERIAL] STATEWIDE CYBERSECURITY PLAN--ASSISTANCE FOR LOCAL GOVERNMENTS.--

          A. On or before September 1, 2022, the cybersecurity office shall develop and present to the governor and the appropriate legislative interim committee a preliminary five-year statewide cybersecurity plan. The preliminary plan shall include an assessment of cybersecurity services for governmental agencies and public educational institutions across the state compared to the standards established by various federal requirements for research grants or education or cybersecurity assistance programs.

          B. On or before July 1, 2023, the cybersecurity office shall adopt a revised and updated five-year statewide cybersecurity plan by rule and shall present the adopted plan to the governor and the appropriate legislative interim committee.

          C. On or before July 1, 2024 and on or before July 1 of each year thereafter, the cybersecurity office shall update and revise the statewide cybersecurity plan and present the updated and revised plan to the governor and the appropriate legislative interim committee.

          D. In the development of the statewide cybersecurity plan, the cybersecurity office shall request advice and provide opportunities for meaningful input from each local and tribal government within New Mexico, and all state agencies and public educational institutions shall cooperate with and provide relevant cybersecurity-related information collected or developed by the agencies as requested by the cybersecurity office.

          E. The cybersecurity office shall provide planning and technical assistance to local governments, public educational institutions and state agencies in the design, development or implementation of plans for the development of cybersecurity. When providing planning and technical assistance, the cybersecurity office shall encourage the use of regional planning and may provide planning and technical assistance to tribal government agencies and schools when those entities are participants in a joint powers agreement with a local government, public educational institution or state agency or a memorandum of understanding for the design, development or implementation of a regional cybersecurity plan.

     SECTION 5. [NEW MATERIAL] CYBERSECURITY ADVISORY COMMITTEE.--

          A. The "cybersecurity advisory committee" is created to assist the cybersecurity office in the development of the statewide cybersecurity plan.

          B. The cybersecurity advisory committee consists of:

                (1) the state chief of information security;

                (2) the chief information security officer for the administrative office of the courts;

                (3) the chief information security officer for the legislative council service;

                (4) three members appointed by the secretary of Indian affairs, including one representative of the Navajo Nation, one representative of Apache tribal governments and one representative of Indian pueblo tribal governments, who have experience with cybersecurity issues;

                (5) three members appointed by the state chief of information security representing county governmental agencies, who have experience with cybersecurity issues; provided that at least one member shall represent a county other than a class A or an H class county;

                (6) three members appointed by the state chief of information security representing municipal governmental agencies, who have experience with cybersecurity issues; provided that only one member may represent a home rule municipality; and

                (7) three members appointed by the governor, who represent different state agencies.

          C. The cybersecurity advisory committee may form subcommittees to address specific or regional cybersecurity issues as it deems necessary.

          D. The state chief of information security may invite representatives of unrepresented state, county, local or tribal agencies or public educational institutions to participate as ex-officio members of the cybersecurity advisory committee if the state chief of information security determines that their participation would be useful to the development of the state cybersecurity plan.

          E. The state chief of information security shall convene the initial meeting of the cybersecurity advisory committee within sixty days of the enactment of the Cybersecurity Act. After its initial meeting, the committee shall meet at least once a month until a statewide cybersecurity plan is adopted pursuant to Subsection B of Section 4 of the Cybersecurity Act. After a statewide cybersecurity plan is adopted, the advisory committee shall meet as deemed necessary by the state chief of information security, but at least once prior to August 1 of each year.

     SECTION 6. [NEW MATERIAL] COORDINATION OF STATE AND LOCAL GOVERNMENT CYBERSECURITY EFFORTS.--

          A. The cybersecurity office shall identify federal and nongovernmental cybersecurity funding assistance opportunities for local governments, public educational institutions, state agencies and tribal governments and shall publish a list of those opportunities in a manner that can be searched on a county-by-county basis.

          B. The cybersecurity office shall be the applicant for federal cybersecurity funding assistance for all executive state agencies; provided that with approval of the supreme court, the administrative office of the courts may independently apply for federal cybersecurity assistance; and provided further that with approval of the New Mexico legislative council, the legislative council service may independently apply for federal cybersecurity assistance.

          C. The cybersecurity office shall coordinate with state agencies and public educational institutions and, pursuant to applicable state-tribal or interstate agreements, may coordinate with tribal agencies or with agencies from other states for the purchase of cybersecurity software, hardware and services with the goal of implementing bulk pricing agreements.

     SECTION 7. [NEW MATERIAL] VACANCIES--INTRAGOVERNMENTAL CYBERSECURITY COORDINATION COMMITTEE.--

          A. The "intragovernmental cybersecurity coordination committee" is established. The committee consists of the state chief of information security, the chief information security officer for the administrative office of the courts, the chief information security officer for the legislative council service and the elective state officers or the elective state officers' designees; provided that:

                (1) if the position of state chief of information security is vacant, the secretary of information technology or the secretary's designee shall serve as the acting state chief of information security;

                (2) if the position of chief information security officer for the administrative office of the courts is vacant, the director of the administrative office of the courts or the director's designee shall serve as the acting chief information security officer; and

                (3) if the position of chief information security officer for the legislative council service is vacant, the director of the legislative council service or the director's designee shall serve as the acting chief information security officer.

          B. Within thirty days of the enactment of the Cybersecurity Act and at least quarterly thereafter, the intragovernmental cybersecurity coordination committee shall meet to ensure that the standards for each branch of government are compatible.

     SECTION 8. A new section of Chapter 2, Article 3 NMSA 1978 is enacted to read:

     "[NEW MATERIAL] CHIEF INFORMATION SECURITY OFFICER--DUTIES.--

          A. The position of "chief information security officer" is created within the legislative council service, and the director of the legislative council service shall appoint the chief information security officer.

          B. The chief information security officer shall:

                (1) develop and implement standards as defined in the Cybersecurity Act for the legislature and its committees, staff and services;

                (2) coordinate the development and implementation of standards with the state chief of information security and the chief information security officer for the administrative office of the courts pursuant to Section 7 of the Cybersecurity Act; and

                (3) on or before September 1, 2022 and by September 1 of each subsequent year, provide a report to the New Mexico legislative council and the appropriate legislative interim committee regarding the development of standards and the status of cybersecurity as defined in the Cybersecurity Act for the legislature, legislative committees and the legislative council service.

          C. The report provided pursuant to Subsection B of this section shall be confidential and only presented in an executive session of the New Mexico legislative council or the appropriate legislative interim committee."

     SECTION 9. A new section of Chapter 34, Article 9 NMSA 1978 is enacted to read:

     "[NEW MATERIAL] CHIEF INFORMATION SECURITY OFFICER--DUTIES.--

          A. The position of "chief information security officer" is created within the administrative office of the courts, and the director of the administrative office of the courts shall appoint the chief information security officer.

          B. The chief information security officer shall:

                (1) develop and implement standards as defined in the Cybersecurity Act for the administrative office of the courts and the courts;

                (2) coordinate the development and implementation of standards with the state chief of information security and the chief information security officer for the legislative council service pursuant to Section 7 of the Cybersecurity Act; and

                (3) on or before September 1, 2022 and by September 1 of each subsequent year, provide a report to the supreme court regarding the development of standards and the status of cybersecurity as defined in the Cybersecurity Act for the state's court system.

          C. The report provided pursuant to Subsection B of this section shall be confidential and only presented in a closed session of the supreme court."

     SECTION 10. APPROPRIATIONS.--

          A. One million dollars ($1,000,000) is appropriated from the general fund to the department of information technology for expenditure in fiscal years 2022 and 2023 to establish and operate the cybersecurity office. The appropriation may be used to hire up to five full-time-equivalent staff. Any unexpended or unencumbered balance remaining at the end of fiscal year 2023 shall revert to the general fund.

          B. One hundred fifty thousand dollars ($150,000) is appropriated from the general fund to the legislative council service for expenditure in fiscal years 2022 and 2023 to establish the position of chief information security officer for the legislative council service. Any unexpended or unencumbered balance remaining at the end of fiscal year 2023 shall revert to the general fund.

          C. One hundred fifty thousand dollars ($150,000) is appropriated from the general fund to the administrative office of the courts for expenditure in fiscal years 2022 and 2023 to establish the position of chief information security officer for the administrative office of the courts. Any unexpended or unencumbered balance remaining at the end of fiscal year 2023 shall revert to the general fund.

     SECTION 11. EMERGENCY.--It is necessary for the public peace, health and safety that this act take effect immediately.

- 13 -